Displaying 20 results from an estimated 74 matches for "forgery".
2009 Jun 09
3
protect_from_forgery doesnt protect from forgery
Maybe I am grasping the full usage of this protect_from_forgery
function, but it does not seem to work for me. Imagine the following:
A simple website with a user that needs to log in to do certain stuff
and a closed off admin section that only certain users can access that
have the is_admin field set to true.
So to be clear, my User model has a login, passwo...
2008 May 08
1
disabling forgery protection
Hi,
I have to enable batch uploads to my website with CURL and forgery
protection in ApplicationController is standing in my way. I do use
the restful authentication plugin and I do call login_required on all
actions. Should I keep forgery protection around?
Forgery protection only makes sure that the client request has
originated from client''s session, righ...
2010 Jul 19
0
Protect from forgery for Rest destroy action ???
Hi !!
I''m reading the rails guides about security, i had a question about the
forgery protection
If we consider a standard Restful resource ( generated with scaffold for
example ), the update and create actions are protected from forgery
attacks thanks to the authenticity token, but what about the destroy
method ??
<a href="/posts/2"
data-method="...
2008 Aug 21
4
forgery Protection
...ms/1.8/gems/actionpack-2.1.0/lib/action_controller/benchmarking.rb:68:in
`perform_action_without_rescue''
/home/dara/apps/ruby-1.8.6/lib/ruby/1.8/benchmark.rb:293:in `measure''
I don''t have the secret commented in the environment either.
Should I be trying to disable forgery protection for certain calls from
facebook/bebo ?
Cheers
2008 Aug 25
1
Catch forgery errors
Hi all,
I am using ajax for some request but when the user session expire, I get
a ActionController::InvalidAuthenticityToke error.
Do you know how I could trap this error and redirect to the login panel
?
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby on Rails:
2005 May 12
1
Cross-site Request Forgery
Hi all,
I stuck a little bit of information on CSRF on the wiki
(http://wiki.rubyonrails.com/rails/show/HowToAvoidCrossSiteRequestForgery)
and created a "Security Concerns" page from the home page
(http://wiki.rubyonrails.com/rails/show/Security+Concerns) - it would
be good to have a single point of information for all know security
holes and fixes (even if they aren''t Rails specific). Ideally
information on CSRF s...
2009 May 05
3
Unable to deactivate forgery protection
Hi,
I just created a new Rails app that will be receiving some POSTed data
from the outside so it must skip the verify_authenticity_token for some
create actions. Although I have added:
skip_before_filter :verifiy_authenticity_token
I still get InvalidAuthenticityToken. In one of my other Rails app
(created back in Rails 1.2.6 and updated to 2.3.2 over time) this
skipping works perfectly though,
2006 Aug 02
0
How to counter Cross Site Request Forgery?
Hi,
We would like to create a unique string when a user logs in and pass the
string between actions. Each user can compare the incoming string with
the one stored in the session to assert whether the request is coming
from within the application or from a malicious external source.
What mechanism can we use to pass this string around?
Passing as params to the actions ,may not be an option as
2010 Jul 08
2
rspec-rails how to selectively turn on csrf protection for controller specs?
...create action to not
use rails'' default CSRF protection.
I''ve got that working fine & test it actually works with cucumber
(where I''ve turned CSRF back on, since it''s full-stack testing) but
would like my controller spec to mention the need for
protect_from_forgery :except => [:create] (and fail when it''s not
set).
I''ve not had any luck with telling the controller or
ActionController::Base to use forgery protection in the spec and am a
bit stuck.
Has anyone done this before, or do any of these look possible:
* reload the rails app for...
2013 Mar 24
6
forgery protection for multiple browser tabs
Hi,
http://apidock.com/rails/ActionController/RequestForgeryProtection only
maintains one CSRF token at a time. When a user visits some site, he gets a
new token in the session. He then might open a linked site of the same
rails app in a new browser tab (maybe some info he''d like to read), and
again he will get a new token. Then he changes to th...
2011 Jul 26
1
[Announce] Samba 3.5.10, 3.4.14 and 3.3.16 Security Releases Available
Release Announcements
=====================
Samba 3.5.10, 3.4.14 and 3.3.16 are security releases in order to
address CVE-2011-2522 (Cross-Site Request Forgery in SWAT) and
CVE-2011-2694 (Cross-Site Scripting vulnerability in SWAT).
o CVE-2011-2522:
The Samba Web Administration Tool (SWAT) in Samba versions
3.0.x to 3.5.9 are affected by a cross-site request forgery.
o CVE-2011-2694:
The Samba Web Administration Tool (SWAT) in Samba version...
2011 Jul 26
1
[Announce] Samba 3.5.10, 3.4.14 and 3.3.16 Security Releases Available
Release Announcements
=====================
Samba 3.5.10, 3.4.14 and 3.3.16 are security releases in order to
address CVE-2011-2522 (Cross-Site Request Forgery in SWAT) and
CVE-2011-2694 (Cross-Site Scripting vulnerability in SWAT).
o CVE-2011-2522:
The Samba Web Administration Tool (SWAT) in Samba versions
3.0.x to 3.5.9 are affected by a cross-site request forgery.
o CVE-2011-2694:
The Samba Web Administration Tool (SWAT) in Samba version...
2008 Sep 02
4
Rescue rails errors
...tion:
ActionController::InvalidAuthenticityToken in
ManageController#site_servers
ActionController::InvalidAuthenticityToken
I tried to put the code in manage controller between begin ... rescue
... end but it didn''t catch the error.
So I tried in the application.rb controller, I put the forgery code
between begin ... rescue ... end, but it didn''t work neither.
How could I trap this error ?
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby on Rails:...
2008 Dec 22
0
FreeBSD Security Advisory FreeBSD-SA-08:12.ftpd
...GNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08:12.ftpd Security Advisory
The FreeBSD Project
Topic: Cross-site request forgery in ftpd(8)
Category: core
Module: ftpd
Announced: 2008-12-23
Credits: Maksymilian Arciemowicz
Affects: All supported versions of FreeBSD.
Corrected: 2008-12-23 01:23:09 UTC (RELENG_7, 7.1-PRERELEASE)
2008-12-23 01:23:09 UTC (RELENG_7_1, 7.1-RC2...
2009 Mar 12
5
InvalidAuthenticityToken from home page
I''m trying to create a log in in index.html, but I keep getting an error
about InvalidAuthenticityToken. I understand this is something that RoR
puts in the forms, and it changes regularly. The problem is that the
home page in the public folder is html, and therefore static. has anyone
else put a log in on their home page?
--
Posted via http://www.ruby-forum.com/.
2004 Aug 06
0
Re: mail bounces
...est is broken if running a private ftp server is enough
to get you on the list. More collateral damage in the email wars.
I've requested a retest, which should get us off the list.
> and of less importance, but to raise awareness to those of you who
> aren't aware of SPF (SMTP Anti-Forgery - http://spf.pobox.com) xiph
> isn't publishing SPF records, which I would advise perhaps looking in
> to.
Sometimes forgery is useful. Otherwise it's a nice idea.
-r
--
Ralph Giles
Xiph.org sysadmin
--- >8 ----
List archives: http://www.xiph.org/archives/
Ogg project homepag...
2019 Jul 17
0
pigeonhole question: filtering on delivered-to in case of fetchmail
...t used fetch mail in many many years, so I can?t answer anything specifically about it, but if you use it to allow external senders to send mail via your system in a way that is not authenticated then you should not do that.
I do NOT allow email claiming to be from my domains. The problem is
"forgery" of Reply-To headers. It isn't really forgery as far as I know
there is now method to check this anywhere. People are allowed to put
what they want there. The setups in question do NOT allow
unauthenticated submission with a FROM from the internal domain.
I have erased the email in questi...
2008 Jun 06
2
422/InvalidAuthenticityToken with fb_request_form
All,
I''m using the ActiveRecord store for sessions and have gotten form
submissions to work, but I can''t get the fb:request-form that''s
generated by fb_request_form to work, it doesn''t seem to add hidden
fields for the token. Should it? Can it even (add extra fields to
the fb:request-form)?
My view:
<% content_for("challenge_content") do %>
2008 Apr 04
4
Auto Complete Problems
Hello All,
I''m a RoR newbiew, trying to experiment with Autocomplete, but I''m
having some difficulties. When I start typing in my input box, instead
of getting a nice drop down, the styling on my page is getting all out
of wack (ie my background colours change, link styling changes, etc) and
I''m not seeing any autcompletion data. Here are the steps I''ve taken
2019 Jul 16
3
pigeonhole question: filtering on delivered-to in case of fetchmail
So, one of the problems I am seeing is that people are trying to fake
users into revealing information by sending from an outside domain but
with an internal reply to address and claiming to be administration, IT
or what not.
I can set up something that will reject if from is outside the domain by
reply to is internal. The problem is in some setups, there are fetchmail
setups. I do not want to